Cisco said it was "not aware of any public announcements or malicious use of the vulnerability."
Oh, good. Because usually internet miscreants and criminals keep Cisco fully in the loop when exploiting vulnerabilities in Cisco equipment.
Cisco has patched a cross-site scripting vulnerability in two VPN routers it sells to small businesses and branch offices. The software update addresses CVE-2020-3431, a bug present in the Cisco Small Business RV042 Dual WAN VPN Router and Cisco Small Business RV042G Dual Gigabit WAN VPN Router. We're told this flaw can be …
"The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software."
When, oh when, will developers accept that specific white list based context dependent validation is essential for every input?
It's far from sufficient to declare that you "haven't heard of our cock-up being abused", particularly as it's so simple to avoid making it in the first place.
Anyone heard of OWASP?
It's much, much older than that. It predates OWASP, the GPL, Linux, and even GNU.
It used to be called GIGO (Garbage In, Garbage Out) and it was taught in introductory COBOL when I learned it in the 70s. We were taught that all inputs needed to be verified and intermediate results needed to be bounds checked.
The term dates to 1957 when William Mellin wrote "sloppily programmed inputs inevitably lead to incorrect outputs." I think that sums it up.
N.B. Old Brits may know it as RIRO (Rubbish In Rubbish Out) but, to me, that sounds like something Scooby-Doo would say.
Biting the hand that feeds IT © 1998–2021